Sophos XG - Unable to add ESXi Hosts via VPN

Question

Hello All, 
 A short wil ago I was running a main Sophos XG Firewall (on network 192.168.30.x) with IP Sec tunnels to 2 locations which still had Sophoe UTM 9. This worked fine for my remote ESXi 6.7 hosts and they worked well in vCenter 6.7 in my main location. 
 I have now upgraded the remote locations (192.168.100.x & 192.168.10.x) to both Sophos XG and setup IP Sec tunnels again. 
 I can get to both sites with RDS, Ping devices and file share etc. 
 I cannot however add these hosts back into my vCenter this just appears to timeout. 
 I have confirmed that the NTP service is running and all the time match, I can even open the Web interfaces for both ESX Hosts from the main location confirming I can see them over the network. 
 I have recently also reviewed the ports list via the VMWare site and confirm these alll open both ends but still no connection from vCenter. Is anyone able to help as Im pulling out whats left of my hair! Thanks, Mike.

FormerMember · Answer

Hi Mike, Thanks for reaching out to Sophos Community. 
 As you said you are able to access these ESXi hosts from the main location but can't add them back to the vCenter. 
 It could be an issue with an MSS/MTU mismatch when traffic flows through XG over the ipsec tunnel. 
 To check, Try and create a Route-based tunnel for testing, Disable the working policy-based IPsec tunnel. 
 The route-Based tunnel will create a virtual interface on either end as shown in the image below. Open the interface on each end, Try to lower the MSS value to 1280 and check if it works or not. How to create route-based IPsec tunnel: docs.sophos.com/.../CreatingRBVPN.html 
 Attaching a few snapshots for your reference.

Sophos XG - Unable to add ESXi Hosts via VPN

Top Replies